Re: [Snort-devel] ascii output's problems

From: Erek Adams <erek(at)snort.org>
Date: Fri Sep 12 2003 - 21:45:13 EDT

On Sat, 13 Sep 2003, Nicolas Delon wrote:

[...snip...]

> So, if someone attacks a host with a source port lower than the target
> port, path and filename will be inverted (source ip <=> destination ip,
> source port <=> destination port).

There's something you missed.

Check back up in the code a few lines:

    /* figure out which way this packet is headed in relation to the homenet */     if((p->iph->ip_dst.s_addr & pv.netmask) == pv.homenet)     {

        if((p->iph->ip_src.s_addr & pv.netmask) != pv.homenet)

If you use '-h 10.42.0.0/24' you don't have the problem. From the man page:

     -h home-net
          Set the "home network" to home-net. The format of  this
          address variable is a network prefix plus a CIDR block,
          such as 192.168.1.0/24.  Once this variable is set, all
          decoded  packet  logging  will  be done relative to the
          home network address space.  This is useful because  of
          the  way  that  Snort formats its ASCII log data.  With
          this value set to the local network, all decoded output
          will be logged into decode directories with the address
          of the foreign computer as the directory name, which is
          very useful during traffic analysis.

Cheers!

---

Erek Adams

   "When things get weird, the weird turn pro." H.S. Thompson

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Sep 12 21:56:05 2003